Tag: cyber security

My responses to Times of India’s Kim Arora on the draft Geospatial Information Regulation Bill, 2016.

The wording in the draft bill is way too general and could cover anything from school children’s maps, to digital maps used by consumers to navigate, to more specialised commercial/scientific usage. Such a general wording will defeat any policy intention and create a morass of bureaucracy and corruption. With that kind of wording, anything is possible. Lawyers will have a field day.

There is a case for the government to insist that all companies and individuals in India must represent India’s boundaries accurately according to our government’s official position. However, this purpose does not require a license-permit-enforcement raj that the bill will end up creating. A simple law that imposes penalties for deliberate misrepresentation of boundaries will suffice.

As it stands, the bill will harm innovation in the IT and tech sector, raise costs for farmers and industry and create a lot of petty corruption. This is not a bill that is consistent with PM Modi’s stated vision of Digital India and Startup India.

According to reports in The Guardian—based on information illegally divulged by NSA contractor Edward Snowden—we know that India is among the top ten countries that the United States snoops on. In March 2013 alone, one of NSA’s programmes collected 6.3 billion pieces of information from India. (Yes, all the hoopla in the US about spying is limited to outrage over the US government spying on its own citizens. Spying on other countries’ citizens is somehow acceptable to many freedom- and privacy-loving Americans.)

What should the Indian government do about this? Here are some options:

1. Do nothing. High officials can express their disapproval. The foreign ministry can register a strong written protest. The US ambassador can be told in no uncertain terms that New Delhi is displeased with the snooping. Essentially, nothing actually changes.

2. Take defensive measures. It is incredibly hard to defend Indian communications networks against the kind of surveillance that the NSA is carrying out. It is impossible to harden all networks—although the government can attempt to move its employees onto more secure platforms. When so many government employees still use Gmail, Hotmail and Yahoo for correspondence with people outside government, there is a lot that the government can do to make official communications more secure. This still leaves public communications heavily vulnerable to snooping by one and all.

3. Attempt to achieve a balance-of-snooping. Start snooping on ordinary Americans (okay, suspected terrorists only) until the US government gets concerned. Then negotiate a truce to control snooping, much like arms control deals that managed arms races. Even if cyberspace offers asymmetric opportunities, the gap in capacities between India and the United States are mindbogglingly large. It will takes years of sustained investment and effort for the Indian government to do anything that’ll worry the US government enough to want to negotiate. The Chinese might be able to pull this off, though.

4. If you can’t stop them, join them. Use the India-US strategic partnership to collaborate with the United States in the cyber-surveillance and intelligence domains and use the collaboration to acquire skills, capabilities and technology that India does not currently have. Once such capabilities are acquired, India will have more options.

In an op-ed in Indian Express I make two sets of arguments. The first set points out that the government has realised that it needs expertise from outside its cloisters to address contemporary policy challenges and must reform itself in order to be able to use it.

The second set distinguishes three aspects of information policy in the geo-strategic and national security context: cyber security, addressing physical threats that emerge from cyber space and finally cyber-strategy. Much of the emphasis in the government’s plan is on the first of the three. It ought to place adequate emphasis on the other two. Without debating and evolving a new balance on the bounds of government in cyberspace, it will be difficult to manage the threats that emerge from it. Without investing in intellectual inquiry into the fundamentals of cyber conflicts, it will be difficult to shape a cyber strategy that protects and promotes India’s national interests in the international arena. Also, India ought to be wary of both premature and delayed militarisation of cyber strategy. You can read the whole essay here.

Subimal Bhattacharjee’s op-ed in Mint presents another perspective. Mr Bhattacharjee argues that while institutionalising cyber security management in a joint working group under the NSCS is a good thing “the key point is the cohesive functioning of the permanent JWG and the implementation of these recommendations.”

Jayant Choudhry, the Rashtriya Lok Dal MP from Mathura was the only legislator who expressed in the Lok Sabha concerns raised by citizens against the draconian Information Technology Rules (IT Rules) that came into effect this year. (More about what’s wrong with these rules in my DNA op-ed, Sunil Abraham and M R Madhavan in Pragati)

The new IT rules put in place by the UPA government earlier this year have received far less public attention than they should. We covered them in this month’s issue of Pragati. One of the speakers at the recent Takshashila Shala described the damage they can do. In today’s DNA column I suggest how we, as ordinary citizens, can use constitutional methods to call for these rules to be reviewed. Write to your MP.

So your daughter is finishing college soon. She’s waiting for entrance exam results and also applying for some jobs. Would you permit the guy who runs the neighbourhood internet browsing shop to know her name, address, phone number and keep her photograph? Would you be comfortable if he knows which websites she has been accessing? Probably not. Now prepared to be shocked. Under the new Rules under the Information Technology Act (IT rules), the Government of India requires cyber cafe operators to collect this information about your daughter. You’ll probably protect your daughter’s privacy by buying her a personal computer but what about the millions of fathers that can’t afford one?

But why does the government require your daughter to provide personal information to a stranger? National security, perhaps. After all terrorists have been using cyber cafes and unsecured Wi Fi connections to send manifestos (usually in bad English) and claim responsibility for attacks. So if cyber cafe operators collect the names and photographs of all their customers, the authorities will be able to quickly identify the terrorists the next time they send an email message. This is an excellent method to catch last year’s terrorists. Prospective terrorists are either unlikely to use cyber cafes because of these restrictions or if they do, provide false information.

The inability to use cyber cafes isn’t going to deter terrorists. It’s only going to cause them to use different tactics. Ordinary citizens however will suffer risks to their privacy. Cyber cafe owners will have yet another set of regulations to comply with. The unscrupulous among them might try to get around these rules through the well-known route of bribing the inspector. The inspector, who, among other matters has the authority to determine whether or not the partition between two cubicles is no more than 52 inches high, will have to avoid the temptation of looking the other way for a fee. If the Lok Pal comes in to effect, it might have to appoint an army of inspectors to investigate allegations against the army of cyber cafe inspectors that’ll will have to be appointed for the purpose of measuring the dimensions of cyber cafe partitions. The Lok Pal’s inspectors themselves, as we all know, will be extraordinary, incorruptible individuals, unlike cyber cafe inspectors.

And you ask why corruption is growing?

Maybe cyber cafes don’t concern you. What about free speech, which makes it possible for me to disparage the IT rules as being poorly considered? Under the new rules, users cannot post material online that is “grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner”. And who gets to decide what constitutes any of the above? No, not a magistrate or even a government officer. Anyone can send a notice to the owner of a website giving notice of a violation under any of the loose, subjective criteria. It then must be taken down within 36 hours.

Complain about bad service from an airline on your blog, and they can send a take down notice claiming it is defamatory, libellous or disparaging. In the hands of the easily outraged, aggressively hypersensitive and competitively intolerant sections of our population this will have the effect of further chilling freedom of expression. Moreover, the inclusion of the word blasphemy in that list makes you wonder which country we are in.

Actually, we don’t need these new rules to protect us from libel, paedophiles or incitement to violence. There are existing laws for that. A libel is a libel whether committed on paper or in ether. These rules, though, have the unacceptable consequence of stifling free speech. They weaken the ordinary citizen and put another coercive tool in the hands of the powerful and the intolerant. They must be reviewed.

Even though they came into force recently, they can be reversed. The government must place these rules before Parliament, which can amend these rules. All it takes is for one MP to demand a discussion. There is time but it is short..only until Budget Session 2012. Here’s what’s doable: write, call or visit your MPs. Write to the leaders of the political party you support. You’ll find their contact information at http://is.gd/loksabha and http://is.gd/rajyasabha. Explain to them that the IT rules are an unacceptable infringement of our freedom. Ask them to demand a discussion on the floor of Parliament. The government has exceeded the authority given it by Parliament and every MP should be concerned.

The rules can also be challenged in court, especially by persons who are directly affected by it. A well-drafted PIL in the Supreme Court is also possible.

The awakening of middle India this year can yet lead to better governance if we adhere to constitutional methods. It’s not going to be easy. Parliament is not what it once was. For years, it has not changed a single rule tabled by the government. But how hard is it to write to your MP? Your letter might make a difference.

BlackBerry must comply with Indian law. India needs a new debate on privacy.

Yes, terrorists can use anything to communicate with each other, plan attacks and help carry them out.

Hafiz Mohammed Saeed can write letters, in code, and send it by post to his sleeper agents in India. He probably does that. But not all means of communications are alike in their ability to help terrorists carry out attacks. A terrorist with a satellite phone with real-time voice and data connection is far more dangerous than a terrorist who carries letters in his pocket. So the argument that terrorists can use anything to communicate is not a valid counter to the argument that government agencies can prevent, investigate and prosecute terrorists better if they are capable of intercepting or blocking real-time communications.

For instance, there is a reasonable argument that the damage to life and property in Mumbai during the 26/11 attacks might have been lower if the terrorists had been denied access to real-time communications, from satellite phones, to cellular phones to broadcast television. There is also a reasonable argument that the ability to intercept the phone calls made by the terrorists plays an important role in prosecuting them in courts of law and in courts of public opinion. India’s law enforcement agencies have had the ability to tap your phone for ages, but apart from the odd political scandal, it is difficult to build a case that this has somehow led to the infringements of the rights of ordinary citizens.

The current debate over Blackberry’s messaging system must be placed in this context. The ongoing discussion between the Indian government and Research In Motion (RIM), the Canadian company that provides BlackBerry services, involves two inter-related issues.

First, whatever might be RIM’s values, business practices and corporate policies, its business in India is governed by Indian law. The contention that “no one else has a problem with our service” is no defence—India has security considerations that might be peculiar to it, and as long as the requirements are constitutionally legitimate, RIM must comply. It is disingenuous to conflate the legitimate authority of a constitutional democracy—imperfect as India’s is—with that of the demands made by totalitarian or authoritarian states. The two are morally and practically different. [See this editorial in the Globe and Mail].

RIM could insist—as it has just done—that it is not treated any differently from others in the field, but it cannot get away with the excuse that its corporate policy overrides the rule of law in India.

Second and the more important issue is for India to establish due processes to determine just who, under what circumstances and under what checks and balances gets to actually block or intercept communications. A national debate over digital privacy, powers of government and mechanisms for redressal is now urgent, as the Indian economy and society become ever more reliant on communications networks.

It is clear that citizens need greater, more credible safeguards. It is also clear that the government needs to be more capable of addressing threats that arise from advances in communications technology. What is not clear is whether the political establishment sees these as priorities worthy of wider public deliberation. The usual practice of passing legislation without adequate parliamentary debate is neither likely to reassure citizens of their rights nor offer new ideas to law-enforcement agencies.

This blog has consistently argued against blunt measures like banning telecommunication services, even and especially in insurgent & terrorist affected areas. Governments must learn how to operate in an information-rich, networked world. Therefore, to the extent that the Indian government’s threat to block BlackBerry services is a device to press RIM to better co-operate with the law-enforcement agencies, it is tolerable. Such a threat is credible only if it can hurt both the government itself and RIM. This appears to be the case.

However, it would be a serious mistake if the government were to make such a ban permanent. Not because India needs the BlackBerry, but because the underlying rationale is self-defeating.